Do You Care About Due Care?

Back in February of 2013, the president signed an executive order that called for a “prioritized, flexible, repeatable, performance-based, and cost-effective approach” that would guide the IT security and risk management efforts of organizations responsible for “critical infrastructure services”.

Who are those organizations? It’s almost easier to say who ISN’T in that group. “Critical infrastructure services” means, in part, organizations involved in Communications… Energy… Banking and finance… Key elements of manufacturing… Information technology… Utilities… Emergency services… Defense and defense industries… Transportation… Food and agriculture… Health and health services…

In other words, my wife – who works with pre-school age children – does NOT need to worry about adhering to the executive order. Pretty much everyone else DOES.

This “approach” has now been codified and expressed by the National Institute of Standards and Technology (NIST) in their very solid “Preliminary Cybersecurity Framework” and been published for a 45-day public comment period. We should see it finalized in February 2014 and I’m excited to see what change it brings.

due care Noun … the care that a reasonable man would exercise under the circumstances;
the standard for determining legal duty

I think in many respects the NIST cybersecurity framework may trump the 20CSC in becoming a new standard for Due Care.

I’m particularly impressed by the Tier 4 “Adaptive” section in the new framework. Read this section and tell me if you don’t think it prescribes a new way to think.

Risk Management Process – The organization adapts its cybersecurity practices based on lessons learned and predictive indicators derived from previous cybersecurity activities. Through a process of continuous improvement, the organization actively adapts to a changing cybersecurity landscape and responds to emerging/evolving threats in a timely manner.

Integrated Program – There is an organization-wide approach to managing cybersecurity risk that uses risk-informed policies, processes, and procedures to address potential cybersecurity events. Cybersecurity risk management is part of the organizational culture and evolves from an awareness of previous activities, information shared by other sources, and continuous awareness of activities on their systems and networks.

External Participation – The organization manages risk and actively shares 383 information with partners to ensure that accurate, current information is being 384 distributed and consumed to improve cybersecurity before an event occurs.

Getting people to use and operationalize IT security controls is one thing. But getting people to think differently about security is a different beast altogether. It’s a great deal harder to do, but the results are exponentially more powerful. It seems to me like this framework is one of the first to focus on behavioral changes.

A risk management process based on “lessons learned” and “continuous improvement”

Integrated programs that speak in terms of “risk-informed policies” and an evolving “organizational culture”

These points sound more like efforts to change culture than implement security technologies. They’re aimed more at changing how we think about controls than changing the priority with which we implement the controls.

Which brings us back around to the concept of Due Care.

The new NIST framework will establish, I believe, a new definition of the proper way to think about cybersecurity programs. From a legal standpoint, the question following a breach might no longer be “Were they compliant?” It may very well become “Were they thinking correctly about their security program?”

And how well their security program aligns to the NIST framework and the thinking it suggests may well become the litmus test that proves or disproves that point.